• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Bad effects of blocking IPv6 ping

Started by evantkh, June 14, 2015, 06:11:15 AM

Previous topic - Next topic

evantkh

As I know, blocking all ICMPv6 is a bad idea as it may cause connectivity issues.
In my setup, I would like to only open things(e.g. some TCP ports, UDP ports) that I really need to use, leaving all other thing dropped unless allowed by ip6tables connection tracking with allowing ESTABLISHED,RELATED traffic.
In this case, the server will not be pingable using ICMPv6 echo request from the internet. Will it cause other issues?



kriteknetworks

What do you gain by blocking icmp6?

broquea

block type 139/140, and rate limit the rest. problem solved.

evantkh

Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

evantkh

#6
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

What are the bad effects of blocking echo request?

In my current setup, I can ping outside, LAN devices can ping each other, but outside cannot ping inside.

evantkh

Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

I forgot to mention that I am using a stateful firewall, not the stateless one.
Is it good to use ip6tables connection tracking instead of exposing the inbound icmpv6 connectivity to the internet?

kriteknetworks

Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?

evantkh

Quote from: kriteknetworks on June 15, 2015, 11:18:12 AM
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?

I am not specifically against having icmp6 open, but I am against having anything open. This will lead to devices not pingable from the internet and people said that blocking ping(echo request) is a bad idea and without explaining how it affects icmp6 error signalling, and the icmp6 type is not the same as echo request.